hugsy · April 11, 2016 07:59
diff --git a/hook_dump_files.py b/hook_dump_files.py
 #
 # easy function hooking in process
 #
 from winappdbg import Process, Debug, EventHandler
 import sys

 PAGE_EXECUTE = 0x10
 PAGE_EXECUTE_READ = 0x20
 PAGE_EXECUTE_READWRITE = 0x40
 PAGE_EXECUTE_WRITECOPY = 0x80

 WRITE_TO_DIR="C:\\Temp"

 class HookHandler(EventHandler):
    apiHooks = {
        "kernel32.dll": [
            # file creation
            ("CreateFile", 7),
            ("CreateFileA", 7),
            ("CreateFileW", 7),

            # write operations
            ("WriteFile", 5),
            ("WriteFileEx", 5),

            # memory i/o
            ("VirtualAlloc", 4),
            ("VirtualAllocEx", 5),
            ("WriteProcessMemory", 5)
        ],

        "advapi32.dll": [
            ('RegCreateKeyExA', 9),
            ('RegCreateKeyExW', 9),
        ],

        # TODO: add more
    }

    def __init__(self, *args, **kwargs):
        EventHandler.__init__(self, *args, **kwargs)
        print("[+] Initializing hooks")
        for dll in self.apiHooks.keys():
            for func, argnum in self.apiHooks[dll]:
                print("  %s!%s (argnum=%d)" % (dll, func, argnum))
        return

    def pre_RegCreateKeyExA(self, event, ra, hKey,
                            lpSubKey,
                            Reserved,
                            lpClass,
                            dwOptions,
                            samDesired,
                            lpSecurityAttributes,
                            phkResult,
                            lpdwDisposition):
        self.__dbg_print_string(event, "RegCreateKeyExA", lpSubKey)
        return
        
    def pre_RegCreateKeyExW(self, event, ra, hKey,
                            lpSubKey,
                            Reserved,
                            lpClass,
                            dwOptions,
                            samDesired,
                            lpSecurityAttributes,
                            phkResult,
                            lpdwDisposition):
        self.__dbg_print_string(event, "RegCreateKeyExW", lpSubKey, is_unicode=True)
        return

    def pre_VirtualAllocEx(self, event, ra,
                            hProcess,
                            lpAddress,
                            dwSize,
                            flAllocationType,
                            flProtect):
        self.__dbg_print(event, "VirtualAllocEx: hProcess=%#.x size=%#.x flags=%#.x" % (hProcess,dwSize,flProtect))
        return

    def pre_VirtualAlloc(self, event, ra,
                            lpAddress,
                            dwSize,
                            flAllocationType,
                            flProtect):
        self.__dbg_print(event, "VirtualAlloc: size=%#.x flags=%#.x" % (dwSize,flProtect))
        return

    def pre_WriteProcessMemory(self, event, ra, 
                            hProcess,
                            lpBaseAddress,
                            lpBuffer,
                            nSize,
                            lpNumberOfBytesWritten):
        fname =  "%s\\%d-%.8x-%.8x.com" % (WRITE_TO_DIR, hProcess, lpBaseAddress,lpBaseAddress+nSize)
        self.__dbg_print(event, "WriteProcessMemory %d bytes to %s" % (nSize, fname))

        mem = event.get_process().read(lpBuffer, nSize)
        with open(fname, "w+b") as f:
            f.write(mem)
        return

    def pre_CreateFile(self, event, ra, lpFileName,
                        dwDesiredAccess,
                        dwShareMode,
                        lpSecurityAttributes,
                        dwCreationDisposition,
                        dwFlagsAndAttributes,
                        hTemplateFile):
        self.__dbg_print_string(event, "CreateFile", lpFileName)
        return

    def pre_CreateFileA(self, event, ra, lpFileName,
                        dwDesiredAccess,
                        dwShareMode,
                        lpSecurityAttributes,
                        dwCreationDisposition,
                        dwFlagsAndAttributes,
                        hTemplateFile):
        self.__dbg_print_string(event, "CreateFileA", lpFileName)
        return

    def pre_CreateFileW(self, event, ra, lpFileName,
                        dwDesiredAccess,
                        dwShareMode,
                        lpSecurityAttributes,
                        dwCreationDisposition,
                        dwFlagsAndAttributes,
                        hTemplateFile):
        self.__dbg_print_string(event, "CreateFileW", lpFileName, is_unicode=True)
        raw_input("> ")
        return

    def post_CreateFile(self, event, retval):
        self.__is_success(event, retval)
        return

    def pre_WriteFile(self, event, ra, hFile,
                    lpBuffer,
                    nNumberOfBytesToWrite,
                    lpNumberOfBytesWritten,
                    lpOverlapped):
        fname =  "%s\\%.8x.com" % (WRITE_TO_DIR, hFile)
        self.__dbg_print(event, "WriteFile %d bytes to %s" % (nNumberOfBytesToWrite, fname))

        mem = event.get_process().read(lpBuffer, nNumberOfBytesToWrite)
        with open(fname, "w+b") as f:
            f.write(mem)
        
        return

    def pre_WriteFileEx(self, event, ra, hFile,
                    lpBuffer,
                    nNumberOfBytesToWrite,
                    lpNumberOfBytesWritten,
                    lpOverlapped):
        self.pre_WriteFile(event,ra,hFile,lpBuffer,nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped)
        return

    def __dbg_print_string(self, event, tag, pointer, is_unicode=False):
        string = event.get_process().peek_string(pointer, fUnicode=is_unicode )
        self.__dbg_print(event, "%s -> '%s'" % (tag, string))
        return

    def __dbg_print(self, event, message):
        tid = event.get_tid()
        print("%d: %s" % (tid, message))
        return

    def __is_success(self, event, retval):
        tid = event.get_tid()
        if retval:
            print ("%d: Success: %x" % (tid, retval))
            return True
        
        print ("%d: Failed!" % tid)
        return False

            
            
 if __name__ == "__main__":
    if len(sys.argv) != 2:
        print "[-] Incorrect syntax"
        print "%s <process_name>" % sys.argv[0]
        sys.exit(1)
        
    target = sys.argv[1:]
  
    try:
        dbg = Debug(HookHandler(), bKillOnExit=True)
        dbg.execv(target)
        dbg.loop()
    except Exception as e:
        print("[-] Received exception: %e" % e)
        dbg.stop()
    finally:
        print("[+] Leaving")
    
    exit(0)
	#
	# easy function hooking in process
	#
	from winappdbg import Process, Debug, EventHandler
	import sys

	PAGE_EXECUTE = 0x10
	PAGE_EXECUTE_READ = 0x20
	PAGE_EXECUTE_READWRITE = 0x40
	PAGE_EXECUTE_WRITECOPY = 0x80

	WRITE_TO_DIR="C:\\Temp"

	class HookHandler(EventHandler):
	apiHooks = {
	"kernel32.dll": [
	# file creation
	("CreateFile", 7),
	("CreateFileA", 7),
	("CreateFileW", 7),

	# write operations
	("WriteFile", 5),
	("WriteFileEx", 5),

	# memory i/o
	("VirtualAlloc", 4),
	("VirtualAllocEx", 5),
	("WriteProcessMemory", 5)
	],

	"advapi32.dll": [
	('RegCreateKeyExA', 9),
	('RegCreateKeyExW', 9),
	],

	# TODO: add more
	}

	def __init__(self, args, *kwargs):
	EventHandler.__init__(self, args, *kwargs)
	print("[+] Initializing hooks")
	for dll in self.apiHooks.keys():
	for func, argnum in self.apiHooks[dll]:
	print(" %s!%s (argnum=%d)" % (dll, func, argnum))
	return

	def pre_RegCreateKeyExA(self, event, ra, hKey,
	lpSubKey,
	Reserved,
	lpClass,
	dwOptions,
	samDesired,
	lpSecurityAttributes,
	phkResult,
	lpdwDisposition):
	self.__dbg_print_string(event, "RegCreateKeyExA", lpSubKey)
	return

	def pre_RegCreateKeyExW(self, event, ra, hKey,
	lpSubKey,
	Reserved,
	lpClass,
	dwOptions,
	samDesired,
	lpSecurityAttributes,
	phkResult,
	lpdwDisposition):
	self.__dbg_print_string(event, "RegCreateKeyExW", lpSubKey, is_unicode=True)
	return

	def pre_VirtualAllocEx(self, event, ra,
	hProcess,
	lpAddress,
	dwSize,
	flAllocationType,
	flProtect):
	self.__dbg_print(event, "VirtualAllocEx: hProcess=%#.x size=%#.x flags=%#.x" % (hProcess,dwSize,flProtect))
	return

	def pre_VirtualAlloc(self, event, ra,
	lpAddress,
	dwSize,
	flAllocationType,
	flProtect):
	self.__dbg_print(event, "VirtualAlloc: size=%#.x flags=%#.x" % (dwSize,flProtect))
	return

	def pre_WriteProcessMemory(self, event, ra,
	hProcess,
	lpBaseAddress,
	lpBuffer,
	nSize,
	lpNumberOfBytesWritten):
	fname = "%s\\%d-%.8x-%.8x.com" % (WRITE_TO_DIR, hProcess, lpBaseAddress,lpBaseAddress+nSize)
	self.__dbg_print(event, "WriteProcessMemory %d bytes to %s" % (nSize, fname))

	mem = event.get_process().read(lpBuffer, nSize)
	with open(fname, "w+b") as f:
	f.write(mem)
	return

	def pre_CreateFile(self, event, ra, lpFileName,
	dwDesiredAccess,
	dwShareMode,
	lpSecurityAttributes,
	dwCreationDisposition,
	dwFlagsAndAttributes,
	hTemplateFile):
	self.__dbg_print_string(event, "CreateFile", lpFileName)
	return

	def pre_CreateFileA(self, event, ra, lpFileName,
	dwDesiredAccess,
	dwShareMode,
	lpSecurityAttributes,
	dwCreationDisposition,
	dwFlagsAndAttributes,
	hTemplateFile):
	self.__dbg_print_string(event, "CreateFileA", lpFileName)
	return

	def pre_CreateFileW(self, event, ra, lpFileName,
	dwDesiredAccess,
	dwShareMode,
	lpSecurityAttributes,
	dwCreationDisposition,
	dwFlagsAndAttributes,
	hTemplateFile):
	self.__dbg_print_string(event, "CreateFileW", lpFileName, is_unicode=True)
	raw_input("> ")
	return

	def post_CreateFile(self, event, retval):
	self.__is_success(event, retval)
	return

	def pre_WriteFile(self, event, ra, hFile,
	lpBuffer,
	nNumberOfBytesToWrite,
	lpNumberOfBytesWritten,
	lpOverlapped):
	fname = "%s\\%.8x.com" % (WRITE_TO_DIR, hFile)
	self.__dbg_print(event, "WriteFile %d bytes to %s" % (nNumberOfBytesToWrite, fname))

	mem = event.get_process().read(lpBuffer, nNumberOfBytesToWrite)
	with open(fname, "w+b") as f:
	f.write(mem)

	return

	def pre_WriteFileEx(self, event, ra, hFile,
	lpBuffer,
	nNumberOfBytesToWrite,
	lpNumberOfBytesWritten,
	lpOverlapped):
	self.pre_WriteFile(event,ra,hFile,lpBuffer,nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped)
	return

	def __dbg_print_string(self, event, tag, pointer, is_unicode=False):
	string = event.get_process().peek_string(pointer, fUnicode=is_unicode )
	self.__dbg_print(event, "%s -> '%s'" % (tag, string))
	return

	def __dbg_print(self, event, message):
	tid = event.get_tid()
	print("%d: %s" % (tid, message))
	return

	def __is_success(self, event, retval):
	tid = event.get_tid()
	if retval:
	print ("%d: Success: %x" % (tid, retval))
	return True

	print ("%d: Failed!" % tid)
	return False



	if __name__ == "__main__":
	if len(sys.argv) != 2:
	print "[-] Incorrect syntax"
	print "%s <process_name>" % sys.argv[0]
	sys.exit(1)

	target = sys.argv[1:]

	try:
	dbg = Debug(HookHandler(), bKillOnExit=True)
	dbg.execv(target)
	dbg.loop()
	except Exception as e:
	print("[-] Received exception: %e" % e)
	dbg.stop()
	finally:
	print("[+] Leaving")

	exit(0)